From aad1ea15f5b8d5e10bc9142bc6ca8abed533f1d6 Mon Sep 17 00:00:00 2001 From: Hristo Totov Date: Fri, 12 Jun 2026 15:18:15 +0300 Subject: [PATCH] chore: add release workflow with OIDC publishing and harden CI security --- .github/actions/build-docs/action.yml | 5 ++-- .github/workflows/deploy.yml | 4 +-- .github/workflows/pr-preview.yml | 2 +- .github/workflows/release.yml | 42 +++++++++++++++++++++++++++ 4 files changed, 47 insertions(+), 6 deletions(-) create mode 100644 .github/workflows/release.yml diff --git a/.github/actions/build-docs/action.yml b/.github/actions/build-docs/action.yml index 82a56a9..cf39b81 100644 --- a/.github/actions/build-docs/action.yml +++ b/.github/actions/build-docs/action.yml @@ -10,15 +10,14 @@ runs: using: 'composite' steps: - name: Setup pnpm - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0 + uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0 with: version: 11.3.0 - name: Setup Node.js - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version-file: .nvmrc - cache: 'pnpm' - name: Install dependencies if: ${{ github.event.action != 'closed' }} diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 2c01faa..d356a87 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -11,7 +11,7 @@ jobs: pages: write steps: - name: Checkout - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: persist-credentials: true @@ -26,4 +26,4 @@ jobs: folder: packages/tester/doc_build branch: gh-pages clean-exclude: pr-preview - force: false \ No newline at end of file + force: false diff --git a/.github/workflows/pr-preview.yml b/.github/workflows/pr-preview.yml index e071236..1beada3 100644 --- a/.github/workflows/pr-preview.yml +++ b/.github/workflows/pr-preview.yml @@ -19,7 +19,7 @@ jobs: pages: write steps: - name: Checkout - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: persist-credentials: true diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..1991384 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,42 @@ +name: Release + +on: + push: + branches: + - main + +jobs: + release: + runs-on: ubuntu-latest + environment: release + permissions: + contents: write + id-token: write + steps: + - name: Checkout + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + persist-credentials: true + + - name: Setup pnpm + uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0 + with: + version: 11.3.0 + + - name: Setup Node.js + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 + with: + node-version-file: .nvmrc + registry-url: 'https://registry.npmjs.org' + + - name: Install dependencies + run: pnpm install --frozen-lockfile + + - name: Create release pull request or publish to npm + uses: changesets/action@57dd5be9ba8852146913fabe3c122b219bb90fa2 # v1.4.9 + with: + publish: pnpm changeset publish + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + NPM_TOKEN: ${{ secrets.NPM_TOKEN }} + NPM_CONFIG_PROVENANCE: true